I am trying to get input from a powershell script.
It drives me up the walls. I already have other PS scripts running just fine, so this really puzzles me.
I have 3 heavy forwarder on Splunk and 18 universal forwarders on Splunk 7.2.4.
When using this inputs.conf setting:
script = Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,Size,FreeSpace | findstr.exe '[0-9]$'
index = os_monitoring
schedule=*/5 * * * *
disabled = 0
I get only input on 3 UF hosts and 2 HF hosts.
One of the HF hosts delivers the following in the _audit log, but no output.
05-04-2020 16:35:00.0014151+2 INFO enqueue job for stanza=df
05-04-2020 16:35:00.0014151+2 INFO Start executing script=Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,Size,FreeSpace | findstr.exe '[0-9]$' for stanza=df
05-04-2020 16:35:00.0170289+2 INFO End of executing script=Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID,Size,FreeSpace | findstr.exe '[0-9]$' for stanza=df, execution_time=0.0156138 seconds
The other boxes do not deliver anything in terms of output or errors, I just see that the app is deployed.
When switching to a real script like in the following
script = . "$SplunkHome\etc\apps\FA-windows-diskspace\bin\scripts\df.ps1"
I again get the the same result. The majority of systems do not deliver output and I see no errors in the _* indices.
I am a bit lost.
I would expect all machines to fail or none, but not this inconsistent behaviour.
Any ideas?
to answer my own question...
On Some systems doing a findstr "[0-9]$" worked, on some not. Some Windows/PS silliness I guess.
But that also begs the question, why does splunk not tell me that the script has been executed in general?